Community discussions

MikroTik App
 
HJL
just joined
Topic Author
Posts: 2
Joined: Sun May 12, 2019 4:26 pm

no internet access

Sun May 12, 2019 4:32 pm

Hello.

I am a new user of mikrotik routers, I try to use it as a home router with WLAN.
The integration of different networks works well, the Internet connection is available.
Unfortunately, I can not connect to the Internet, there is a fundamental error in my configuration. Can someone help me find the mistake? If possible with an explanation, so that I can understand it. Thank you in advance...
Here is my configuration:
# may/12/2019 12:48:11 by RouterOS 6.44.2
# software id = XXXX-XXXX
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-full mtu=1598
set [ find default-name=sfp1 ] advertise=1000M-full mtu=1598
/interface vlan
add interface=sfp1 mtu=1560 name=vlan7 vlan-id=7
add interface=bridge name=vlan10 use-service-tag=yes vlan-id=10
add interface=bridge name=vlan20 use-service-tag=yes vlan-id=20
add interface=bridge name=vlan30 use-service-tag=yes vlan-id=30
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan7 max-mru=1500 max-mtu=\
    1500 name=pppoe-out1 password=12345678 service-name=Telekom user=\
    123456781234567812345678@t-online.de
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    supplicant-identity=MikroTik wpa-pre-shared-key=XxXxXxX \
    wpa2-pre-shared-key=XxXxXxX
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile10 supplicant-identity="" \
    wpa2-pre-shared-key=XxXxXxX
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile20 supplicant-identity="" \
    wpa2-pre-shared-key=XxXxXxX
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile30 supplicant-identity="" \
    wpa2-pre-shared-key=XxXxXxX
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto \
    frequency-mode=regulatory-domain mode=ap-bridge name=comp_net_2 \
    security-profile=profile10 ssid=CompNET vlan-id=10 vlan-mode=\
    use-service-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=\
    indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge \
    name=comp_net_5 security-profile=profile10 ssid=CompNET vlan-id=10 \
    vlan-mode=use-service-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:3F \
    master-interface=comp_net_2 multicast-buffering=disabled name=home_net_2 \
    security-profile=profile30 ssid=HomeNET vlan-id=30 vlan-mode=\
    use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:3D \
    master-interface=comp_net_5 multicast-buffering=disabled name=home_net_5 \
    security-profile=profile30 ssid=HomeNET vlan-id=30 vlan-mode=\
    use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:3E \
    master-interface=comp_net_2 multicast-buffering=disabled name=spy_net_2 \
    security-profile=profile20 ssid=SpyNET vlan-id=20 vlan-mode=\
    use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:40 \
    master-interface=comp_net_5 multicast-buffering=disabled name=spy_net_5 \
    security-profile=profile20 ssid=SpyNET vlan-id=20 vlan-mode=\
    use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp10 ranges=192.168.10.5-192.168.10.254
add name=dhcp20 ranges=192.168.20.5-192.168.20.254
add name=dhcp30 ranges=192.168.30.5-192.168.30.254
add name=pool100 ranges=192.168.100.1-192.168.100.254
/ip dhcp-server
add address-pool=dhcp10 disabled=no interface=vlan10 name=server10
add address-pool=dhcp20 disabled=no interface=vlan20 name=server20
add address-pool=dhcp30 disabled=no interface=vlan30 name=server30
add address-pool=pool100 disabled=no interface=bridge name=server100
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
add bridge=bridge interface=comp_net_2
add bridge=bridge interface=comp_net_5
add bridge=bridge interface=spy_net_2
add bridge=bridge interface=spy_net_5
add bridge=bridge interface=home_net_2
add bridge=bridge interface=home_net_5
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=vlan10,comp_net_2,comp_net_5 untagged=bridge \
    vlan-ids=10
add bridge=bridge tagged=vlan20,spy_net_2,spy_net_5 untagged=bridge vlan-ids=\
    20
add bridge=bridge tagged=vlan30,home_net_2,home_net_5 untagged=bridge \
    vlan-ids=30
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.10.5 comment="Desk" mac-address=XX:XX:XX:XX:XX:XX \
    server=server10
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.250 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.250 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.250 gateway=192.168.30.1
add address=192.168.100.0/24 dns-server=192.168.10.250 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=240.0.0.0/4 list=bogons
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop bogons<-WAN" in-interface=vlan7 \
    src-address-list=bogons
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=\
    192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=\
    192.168.20.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=\
    192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=\
    192.168.30.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=\
    192.168.20.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=\
    192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system leds
set 0 interface=pppoe-out1 type=interface-transmit
set 1 interface=spy_net_5 type=interface-transmit
set 2 type=interface-transmit
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,time.google.com
/tool graphing interface
add allow-address=192.168.0.0/16
/tool graphing queue
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: no internet access

Tue May 14, 2019 12:02 am

Assuming your WAN connection is delivered via the SFP port on VLAN 7, remove add bridge=bridge interface=sfp1 from /interface bridge port - the WAN connection doesn't need to go anywhere near the bridge if it is only feeding the Mikrotik.

The most glaring problem is the misconfigured bridge, it should be at least:
/interface bridge vlan
add bridge=bridge tagged=bridge,comp_net_2,comp_net_5 vlan-ids=10
add bridge=bridge tagged=bridge,spy_net_2,spy_net_5 vlan-ids=20
add bridge=bridge tagged=bridge,home_net_2,home_net_5 vlan-ids=30
but there desn't appear to be any configuration for ether2-5, if they are supposed to be attached to the 192.168.100.0/24 subnet then also add:
add bridge=bridge untagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=1

Why have you used use-service-tag in /interface vlan and /interface wireless ? Unless you are specifically using QinQ stick to normal rather than service tags.

There are various other oddities - ether1 in the WAN interface list but not used, MTU settings not default, WAN firewall rules on incorrect interfaces but probably not enough to stop it working.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: no internet access

Tue May 14, 2019 5:19 pm

Use this reference for vlans..........
viewtopic.php?f=13&t=143620
 
HJL
just joined
Topic Author
Posts: 2
Joined: Sun May 12, 2019 4:26 pm

Re: no internet access

Wed May 15, 2019 7:50 pm

Thanks for help, good references and very detailed examples.
Have to read now ... ;-)

Who is online

Users browsing this forum: orionren and 29 guests